Protecting children's data privacy in the smart city

The Conversation16 May 2019, 10:36 GMT+10

The devices that we use have unique identifiers. With cross-browser fingerprinting, the data we generate as users isn't as anonymized as we believe it is. The tracking of our online activity is extensive, comprehensive and persistent, and generates marketable data shadows that do not need our personal information in order to target us as consumers.

This should be a significant concern regarding today's children and youth, who have extremely detailed data profiles that they will carry into adulthood, creating what Google's Eric Schmidt termed an "indelible record."

What is key to note here is that these instances of alleged violations of children's privacy have occurred in the private realm, where regulations exist as to how this data should be handled. As smart city projects like Sidewalk Toronto's Quayside project grow in profile and popularity, they have yet to identify what will happen to data generated in public by minors. Because Sidewalk Toronto may set precedents shaping future smart city planning, children's privacy in the private and public spheres should be recognized as a national issue.

Sidewalk Toronto is a subsidiary of Alphabet Inc., Google's parent company, with several concerning precedents regarding tracking and collecting the data of minors. The findings reported here are an extension of a longer paper as to how tech and media giants are observation privacy needs of minors. "Data Science, Disney, and The Future of Children's Entertainment" will be published in The Palgrave Handbook of Children's Film and Television (July 2019).

Minors can't consent

Children today face unique challenges because they will be targeted by business intelligence, and shaped by this targeting to a degree that we cannot fathom. There are legal protections for minors under 13 as stated by the Office of the Privacy Commissioner of Canada (OPC) and Children's Online Privacy Protection Rule (COPPA) in the United States. Children and youth are recognized as vulnerable and deserving of special considerations: they cannot make informed decisions as to what they are agreeing to. This makes the data tracking and mining of children under 13 a federal issue.

In Europe, the General Data Protection Regulation (GDPR) applies to minors younger than 13 or 16, depending on the country's age of digital consent. Youth of the age of digital consent (13 or 16 years old and up) are not protected as minors in Canada, the U.S. or Europe: youth data is treated as adult data.

Complaints regarding the data of minors

Given the pattern of inattention and prevarication evident in the instances noted here by Alphabet Inc.'s subsidiaries ensuring data privacy and protection of minors - the most regulated protected demographic in the U.S. - why should Sidewalk Toronto be trusted with the data of minors? For Torontonians, how exactly will Quayside ensure that the data of minors will be protected given that there has been no acknowledgement of the distinct concerns regarding minors or teens to date?

Here's a recap of some of the complaints and alleged violations before the U.S. Federal Trade Commission (FTC), some of them still active. In some instances, complainants allege that the sharing of personal data of minors has knowingly occurred. Other complaints note current and past failures of oversight in regards to minors, offensive content and pedophilic activity.

1) In 2018, the Campaign for a Commercial Free-Childhood (CCFC) filed a complaint that details how Google violated COPPA when collecting personal data from minors.

2) A 2018 study published in the Proceedings on Privacy Enhancing Technologies finds that "thousands of Android apps potentially violate child protection law." Google's Play Store potentially failed to enforce COPPA compliance in thousands of child-directed apps. The complaint to the FTC expands on how the Google Play Store apps are marketing to children and in turn, violating children's privacy.

3) Although not the first warning, author James Bridle's essay "Something is Wrong on the Internet" launched a media storm of concern as to the lack of regulation for child-directed bot-generated videos on YouTube Kids, thousands of which offered disturbingly violent, copyright-violating content. In April 2018, YouTube Kids finally launched "new features that allow parents to create a white-listed, non-algorithmic version of its Kids app," after months of parent and media watch groups demanding this function.

YouTube's response revealed the lack of human oversight regarding inappropriate content on YouTube Kids: "Flagged videos are manually reviewed 24/7 and any videos that don't belong in the app are removed within hours. For parents who want a more restricted experience, we recommend that they turn off the Search feature in the app." That YouTube only removed content once flagged and vetted by humans meant that highly disturbing content was being served to minors without parents' knowledge because of algorithmic discovery.

4) The reliance on algorithmic recommendations for ad revenue has repeatedly resulted in a failure to regulate offensive material on YouTube and YouTube Kids. In March 2017, AT&T, Johnson & Johnson and other companies pulled ads from YouTube because of ad placements next to objectionable content. Following these announcements, "...Google had outlined steps it would take to stop ads from running next to 'hateful, offensive and derogatory content' on YouTube and websites in its display network."

Minors: private data and public space

Given this pattern of inattention to violation of privacy regulations regarding minors, what assurance do we have that Sidewalk Labs and Sidewalk Toronto will be proactive in protecting the data privacy of children?

The consideration of any potential violation of the data privacy of minors may present a point of legislative challenge to Sidewalk Toronto, especially considering the lack of transparency as to how data is collected. How Quayside's data foraging will distinguish between data generated by minors and those over the age of digital consent is unknown. Sidewalk Toronto has made no mention of minors in any public documents to date.

The pattern of inattention should make us wary of granting Sidewalk Toronto access to resident and public data without a very clear understanding of what is being tracked, archived, analyzed and shared.